Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help removing worm.win32.netsky virus [Closed]

Started by hazeledsunshine , Dec 28 2009 10:05 AM

  • This topic is locked This topic is locked

#1
hazeledsunshine
Posted 28 December 2009 - 10:05 AM

hazeledsunshine

    New Member

  • Member
  • Pip
  • 8 posts
A virus attack the computer at my work while I was gone for two days, I'm nto sure what caused it but I have various popups that keep appearing, one saying that the Worm.Win32.NetSky virus has been detected and I need to do a full system scan. I have done this with both McAfee and Spybot Search and Destroy and cannot seem to get it off. Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:01 AM, on 12/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windstream.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...TP&M=GT5228
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: {e77e6b5f-83c1-fb0b-9ea4-0624103f87ef} - {fe78f301-4260-4ae9-b0bf-1c38f5b6e77e} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\Run: [hubavagok] Rundll32.exe "c:\windows\system32\luhuvoyu.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D1D3EEF-A34F-4E59-B2C3-FD8D8EC876A0}: NameServer = 193.104.110.38,4.2.2.1,74.128.17.114 74.128.19.102
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: heparira.dll c:\windows\system32\losuruta.dll c:\windows\system32\luhuvoyu.dll
O21 - SSODL: rehonetah - {02593f7d-909c-4947-af5f-b575484678a9} - c:\windows\system32\losuruta.dll (file missing)
O21 - SSODL: titadubeh - {f581d833-181c-4105-9b17-0eaac1bf3209} - c:\windows\system32\luhuvoyu.dll
O22 - SharedTaskScheduler: mujuzedij - {02593f7d-909c-4947-af5f-b575484678a9} - c:\windows\system32\losuruta.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {f581d833-181c-4105-9b17-0eaac1bf3209} - c:\windows\system32\luhuvoyu.dll
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

--
End of file - 9685 bytes

Edited by hazeledsunshine, 28 December 2009 - 10:06 AM.

  • 0

Advertisements

#2
Rorschach112
Posted 28 December 2009 - 10:07 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
fix these with HJT

O20 - AppInit_DLLs: heparira.dll c:\windows\system32\losuruta.dll c:\windows\system32\luhuvoyu.dll
O21 - SSODL: rehonetah - {02593f7d-909c-4947-af5f-b575484678a9} - c:\windows\system32\losuruta.dll (file missing)
O21 - SSODL: titadubeh - {f581d833-181c-4105-9b17-0eaac1bf3209} - c:\windows\system32\luhuvoyu.dll
O22 - SharedTaskScheduler: mujuzedij - {02593f7d-909c-4947-af5f-b575484678a9} - c:\windows\system32\losuruta.dll (file missing)


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
hazeledsunshine
Posted 28 December 2009 - 10:11 AM

hazeledsunshine

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Also, I did find a similar question on here, but my situation seems to be a bi different, I also have a popup telling me that A trojan is on the computer and that I should download IDS? I have not done so, as it seems suspicious to me.
  • 0

#4
Rorschach112
Posted 28 December 2009 - 10:12 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
just follow my steps
  • 0

#5
hazeledsunshine
Posted 28 December 2009 - 10:54 AM

hazeledsunshine

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
All those steps have been followed now, thank you for the quick response, BTW. Here is the log:

ComboFix 09-12-27.04 - Owner 12/28/2009 11:27:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1248 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-DC3E0B8F38\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner.YOUR-DC3E0B8F38\Application Data\Logs\scns.log
c:\recycler\S-1-5-21-3184997983-3164463926-2442236481-500
c:\windows\kb913800.exe
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\23811.exe
c:\windows\system32\24464.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\28703.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\system32\AVR10.exe
c:\windows\system32\hebiyeva.dll
c:\windows\system32\heparira.dll
c:\windows\system32\luhuvoyu.dll
c:\windows\system32\webomeru.exe
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\Tasks\srukygcs.job
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.116
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-28 16:32 . 2009-12-28 16:35 -------- d-----w- c:\windows\LastGood
2009-12-27 21:20 . 2009-12-27 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-27 21:20 . 2009-12-27 21:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 15:33 . 2009-12-03 15:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 16:29 . 2009-03-26 14:42 -------- d-----w- c:\documents and settings\Owner.YOUR-DC3E0B8F38\Application Data\Logs
2009-12-28 15:57 . 2006-12-30 21:14 -------- d-----w- c:\program files\Trend Micro
2009-12-18 14:57 . 2006-08-09 16:17 -------- d-----w- c:\program files\McAfee
2009-12-02 23:04 . 2006-08-09 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-17 20:36 . 2009-09-03 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-26 20:22 . 2009-09-26 20:22 53760 --sha-w- c:\windows\system32\banubulo.dll
2009-09-28 15:32 . 2009-09-28 15:32 61440 --sha-w- c:\windows\system32\fuweyuni.dll
2009-09-26 20:22 . 2009-09-26 20:22 39424 --sha-w- c:\windows\system32\kodafudi.dll
2009-09-28 15:32 . 2009-09-28 15:32 39424 --sha-w- c:\windows\system32\pihuwali.dll
2009-09-26 20:22 . 2009-09-26 20:22 53760 --sha-w- c:\windows\system32\rewapiyi.dll
2009-09-26 20:22 . 2009-09-26 20:22 92672 --sha-w- c:\windows\system32\ripeyepi.dll
2009-09-27 08:22 . 2009-09-27 08:22 45568 --sha-w- c:\windows\system32\sutuhoha.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d45e48b2-afe1-4d03-8ecd-81ab98a32320}]
2009-09-26 20:22 53760 --sha-w- c:\windows\system32\banubulo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 16010752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-12-09 00:57 550912 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 03:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-03-21 18:19 69632 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
2006-09-14 05:00 950337 ----a-w- c:\program files\Trend Micro\Antivirus\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCClient.exe]
2006-09-14 05:00 634949 ----a-w- c:\program files\Trend Micro\Antivirus\PCClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-09 16:13 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-09-30 05:14 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 08:23 75520 ----a-w- c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TM Outbreak Agent]
2006-09-14 05:00 290816 ----a-w- c:\program files\Trend Micro\Antivirus\TMOAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\Support\\Check_Appli\\pandora_detection.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2481:UDP"= 2481:UDP:Windows Media Format SDK (iexplore.exe)
"2480:UDP"= 2480:UDP:Windows Media Format SDK (iexplore.exe)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/30/2009 10:03 AM 93320]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [9/14/2006 12:00 AM 197648]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/14/2006 12:00 AM 31248]
S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [9/14/2006 12:00 AM 241737]
S2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [9/14/2006 12:00 AM 204873]
S3 ECRDRV;ECRDRV;c:\windows\system32\drivers\ecrdrv.sys [1/1/2007 5:26 PM 17636]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windstream.net/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {8D1D3EEF-A34F-4E59-B2C3-FD8D8EC876A0} = 193.104.110.38,4.2.2.1,74.128.17.114 74.128.19.102
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner.YOUR-DC3E0B8F38\Application Data\Mozilla\Firefox\Profiles\hp37wcgh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Owner.YOUR-DC3E0B8F38\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{fe78f301-4260-4ae9-b0bf-1c38f5b6e77e} - (no file)
HKLM-Run-hubavagok - c:\windows\system32\luhuvoyu.dll
HKLM-Run-gunerifimi - hebiyeva.dll
SharedTaskScheduler-{f581d833-181c-4105-9b17-0eaac1bf3209} - c:\windows\system32\luhuvoyu.dll
SSODL-titadubeh-{f581d833-181c-4105-9b17-0eaac1bf3209} - c:\windows\system32\luhuvoyu.dll
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-Cleanup - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\2006123016433_mcappins.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1155139980\EE\AOLHostManager.exe
MSConfigStartUp-msci - c:\docume~1\OWNER~1.YOU\LOCALS~1\Temp\2006123016432_mcinfo.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-PCFriendly - c:\program files\PCFriendly\inuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 11:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(684)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\ARPWRMSG.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-28 11:47:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 16:47

Pre-Run: 226,998,587,392 bytes free
Post-Run: 226,473,418,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 6D001F1B7588A6F35F9ACC296C7C69EC
  • 0

#6
hazeledsunshine
Posted 28 December 2009 - 11:05 AM

hazeledsunshine

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
also, I disabled McAfee as well as I possibly could, but there's no option to completely close it out... at least as far as I can see in the advanced options
  • 0

#7
Rorschach112
Posted 28 December 2009 - 11:40 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...us-t263155.html

Collect::
c:\windows\system32\banubulo.dll
c:\windows\system32\fuweyuni.dll
c:\windows\system32\kodafudi.dll
c:\windows\system32\pihuwali.dll
c:\windows\system32\rewapiyi.dll
c:\windows\system32\ripeyepi.dll
c:\windows\system32\sutuhoha.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\dllhost.exe"=-

Suspect::


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

  • 0

#8
hazeledsunshine
Posted 28 December 2009 - 12:01 PM

hazeledsunshine

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
is there supposed to be text after "Suspect::"? I've tried to run it three times and it continues to get stuck at "preparing to run"
  • 0

#9
hazeledsunshine
Posted 28 December 2009 - 12:19 PM

hazeledsunshine

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Of course, after I posted that reply, it worked...

ComboFix 09-12-27.04 - Owner 12/28/2009 13:02:59.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1431 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-DC3E0B8F38\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-DC3E0B8F38\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

file zipped: c:\windows\system32\banubulo.dll
file zipped: c:\windows\system32\fuweyuni.dll
file zipped: c:\windows\system32\kodafudi.dll
file zipped: c:\windows\system32\pihuwali.dll
file zipped: c:\windows\system32\rewapiyi.dll
file zipped: c:\windows\system32\ripeyepi.dll
file zipped: c:\windows\system32\sutuhoha.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\banubulo.dll
c:\windows\system32\fuweyuni.dll
c:\windows\system32\kodafudi.dll
c:\windows\system32\pihuwali.dll
c:\windows\system32\rewapiyi.dll
c:\windows\system32\ripeyepi.dll
c:\windows\system32\sutuhoha.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-27 21:20 . 2009-12-27 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-27 21:20 . 2009-12-27 21:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-03 15:33 . 2009-12-03 15:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 16:52 . 2006-06-19 04:25 72392 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-28 16:29 . 2009-03-26 14:42 -------- d-----w- c:\documents and settings\Owner.YOUR-DC3E0B8F38\Application Data\Logs
2009-12-28 15:57 . 2006-12-30 21:14 -------- d-----w- c:\program files\Trend Micro
2009-12-18 14:57 . 2006-08-09 16:17 -------- d-----w- c:\program files\McAfee
2009-12-02 23:04 . 2006-08-09 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-17 20:36 . 2009-09-03 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((( SnapShot@2009-12-28_16.45.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-30 21:11 . 2009-08-07 00:24 44768 c:\windows\system32\wups2.dll
+ 2006-06-17 09:38 . 2009-08-07 00:24 35552 c:\windows\system32\wups.dll
+ 2006-06-17 09:38 . 2009-08-07 00:24 35552 c:\windows\system32\dllcache\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 16010752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"gunerifimi"="hebiyeva.dll" [BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-12-09 00:57 550912 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 03:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-03-21 18:19 69632 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
2006-09-14 05:00 950337 ----a-w- c:\program files\Trend Micro\Antivirus\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCClient.exe]
2006-09-14 05:00 634949 ----a-w- c:\program files\Trend Micro\Antivirus\PCClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-08-09 16:13 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-09-30 05:14 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 08:23 75520 ----a-w- c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TM Outbreak Agent]
2006-09-14 05:00 290816 ----a-w- c:\program files\Trend Micro\Antivirus\TMOAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\Support\\Check_Appli\\pandora_detection.exe"=
"c:\\Program Files\\Ubisoft\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2481:UDP"= 2481:UDP:Windows Media Format SDK (iexplore.exe)
"2480:UDP"= 2480:UDP:Windows Media Format SDK (iexplore.exe)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/30/2009 10:03 AM 93320]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [9/14/2006 12:00 AM 197648]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/14/2006 12:00 AM 31248]
S2 Tmntsrv;Trend NT Realtime Service;c:\program files\Trend Micro\Antivirus\Tmntsrv.exe [9/14/2006 12:00 AM 241737]
S2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Antivirus\tmproxy.exe [9/14/2006 12:00 AM 204873]
S3 ECRDRV;ECRDRV;c:\windows\system32\drivers\ecrdrv.sys [1/1/2007 5:26 PM 17636]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windstream.net/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {8D1D3EEF-A34F-4E59-B2C3-FD8D8EC876A0} = 193.104.110.38,4.2.2.1,74.128.17.114 74.128.19.102
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner.YOUR-DC3E0B8F38\Application Data\Mozilla\Firefox\Profiles\hp37wcgh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Owner.YOUR-DC3E0B8F38\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{d45e48b2-afe1-4d03-8ecd-81ab98a32320} - banubulo.dll
BHO-{fe78f301-4260-4ae9-b0bf-1c38f5b6e77e} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 13:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2692)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\ARPWRMSG.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-12-28 13:17:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 18:17
ComboFix2.txt 2009-12-28 16:47

Pre-Run: 226,490,961,920 bytes free
Post-Run: 226,454,982,656 bytes free

- - End Of File - - AA2ACB1CD70CFBE523A0FE79AF2F9E9C
  • 0

#10
Rorschach112
Posted 28 December 2009 - 03:51 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • c:\windows\system32\wups2.dll
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

  • 0

#11
hazeledsunshine
Posted 29 December 2009 - 10:38 AM

hazeledsunshine

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello. I just got back to the office, and followed the next step. here are the clipboard contents.


VirSCAN.org Scanned Report :
Scanned time : 2009/12/29 11:29:41 (EST)
Scanner results: Scanners did not find malware!
File Name : wups2.dll
File Size : 44768 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 5bd1234e11b39c63bba87022af6d43c2
SHA1 : e0c78caeb2cddabaaf090531832e8849fcf9c7e8
Online report : http://virscan.org/r...076fbb4f52.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091229200148 2009-12-29 4.90 -
AhnLab V3 2009.12.30.00 2009.12.30 2009-12-30 1.08 -
AntiVir 8.2.1.122 7.10.2.88 2009-12-29 0.12 -
Antiy 2.0.18 20091229.3546430 2009-12-29 0.12 -
Arcavir 2009 200912291044 2009-12-29 0.04 -
Authentium 5.1.1 200912290137 2009-12-29 1.30 -
AVAST! 4.7.4 091229-0 2009-12-29 0.01 -
AVG 8.5.288 270.14.123/2592 2009-12-29 0.36 -
BitDefender 7.81008.4793798 7.29661 2009-12-29 4.24 -
CA (VET) 35.1.0 7202 2009-12-28 6.81 -
ClamAV 0.95.2 10236 2009-12-29 0.01 -
Comodo 3.13 3403 2009-12-29 0.93 -
CP Secure 1.3.0.5 2009.12.29 2009-12-29 0.05 -
Dr.Web 4.44.0.9170 2009.12.29 2009-12-29 8.04 -
F-Prot 4.4.4.56 20091228 2009-12-28 1.25 -
F-Secure 7.02.73807 2009.12.29.13 2009-12-29 0.10 -
Fortinet 11.320- 11.320 2009-12-29 0.22 -
GData 19.9600/19.650 20091229 2009-12-29 6.50 -
ViRobot 20091229 2009.12.29 2009-12-29 0.41 -
Ikarus T3.1.01.79 2009.12.29.74854 2009-12-29 4.17 -
JiangMin 13.0.900 2009.12.29 2009-12-29 8.88 -
Kaspersky 5.5.10 2009.12.29 2009-12-29 0.07 -
KingSoft 2009.2.5.15 2009.12.29.14 2009-12-29 0.93 -
McAfee 5.3.00 5845 2009-12-28 3.39 -
Microsoft 1.5302 2009.12.29 2009-12-29 6.84 -
Norman 6.01.09 6.01.00 2009-12-28 4.01 -
Panda 9.05.01 2009.12.28 2009-12-28 2.20 -
Trend Micro 9.000-1003 6.730.07 2009-12-29 0.03 -
Quick Heal 10.00 2009.12.29 2009-12-29 1.44 -
Rising 20.0 22.28.01.03 2009-12-29 1.05 -
Sophos 3.03.0 4.49 2009-12-29 2.79 -
Sunbelt 3.9.2388.2 5586 2009-12-28 2.17 -
Symantec 1.3.0.24 20091228.004 2009-12-28 0.05 -
nProtect 20091229.02 6737157 2009-12-29 4.25 -
The Hacker 6.5.0.3 v00116 2009-12-28 0.82 -
VBA32 3.12.12.1 20091228.0950 2009-12-28 2.35 -
VirusBuster 4.5.11.10 10.118.13/2009741 2009-12-29 2.50 -
  • 0

#12
Rorschach112
Posted 29 December 2009 - 11:51 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#13
hazeledsunshine
Posted 30 December 2009 - 11:14 AM

hazeledsunshine

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi.
It took a while to get the kaspersky website to finish the scan completely.


Malwarebytes' Anti-Malware 1.42
Database version: 3450
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/29/2009 1:15:46 PM
mbam-log-2009-12-29 (13-15-41).txt

Scan type: Quick Scan
Objects scanned: 124882
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\fias4051 (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gunerifimi (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8d1d3eef-a34f-4e59-b2c3-fd8d8ec876a0}\NameServer (Trojan.DNSChanger) -> Data: 193.104.110.38,4.2.2.1,74.128.17.114 74.128.19.102 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 30, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 30, 2009 14:44:16
Records in database: 3416407
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 67896
Threats found: 3
Infected objects found: 16
Suspicious objects found: 0
Scan duration: 01:47:42


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon86.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate86.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
C:\Qoobox\Quarantine\[4]-Submit_2009-12-28_13.02.53.zip Infected: Packed.Win32.TDSS.aa 6
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP998\A0173746.exe Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP998\A0173754.exe Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP999\A0173846.exe Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP999\A0174846.exe Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP999\A0174851.exe Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP999\A0174862.exe Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP999\A0174937.exe Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

Selected area has been scanned.
  • 0

#14
Rorschach112
Posted 30 December 2009 - 04:11 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

:Services

:Reg

:Files
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#15
Rorschach112
Posted 05 January 2010 - 08:59 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP